Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Preface vii
Audience iii-vii
Conventions vii
Purpose 2-7
Prerequisites 2-7
Purpose 3-21
Prerequisites 3-21
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
i
Contents
Purpose 4-29
Prerequisites 4-29
Purpose 5-41
Prerequisites 5-41
Restrictions 5-41
LAN Access Switch Topology with Uplinks to a Distribution Switch or Distribution Router 5-43
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
ii
Contents
Purpose 6-51
Prerequisites 6-51
Prerequisites 7-65
Restrictions 7-65
LAN Access Switch Topology with IEEE 802.1x Secure Access Control 7-67
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
iii
Contents
Purpose 8-81
Prerequisites 8-81
Restrictions 8-82
Purpose 9-103
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
iv
Contents
Prerequisites 9-103
INDEX
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
v
Contents
Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide
vi
Preface
Audience
This document is written for managing the Cisco Catalyst 3850 Series Switches and the Cisco 3650
Series switches and switch stacks in their network. A basic understanding of Ethernet networking is
expected. Cisco Certified Network Associate level (CCNA) knowledge is helpful, but not required.
Conventions
This document uses the following conventions:
Convention Indication
italic blue font Example configuration values that are replaced with reader values.
bold font Commands and keywords and user-entered CLI appear in bold font.
italic font Document titles, new or emphasized terms, and arguments for which you supply values are in italic
font.
[ ] • Default responses to system prompts are in square brackets.
• Elements in square brackets are optional.
{x | y | z} Required alternative keywords are grouped in braces and separated by vertical bars.
[x | y | z] Optional alternative keywords are grouped in brackets and separated by vertical bars.
string A nonquoted set of characters. Do not use quotation marks around the string, or the string will include
the quotation marks.
courier font Terminal sessions and information the system displays appear in courier font.
< > Nonprinting characters such as passwords are in angle brackets.
!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
Note Means reader take note. Notes contain helpful suggestions or references to material that is not covered
in the manual.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
vii
Audience
Tip The tips information might not be troubleshooting or even an action, but could be useful information,
similar to a Timesaver.
Timesaver You can save time by performing the action described in the paragraph.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
viii OL-xxxxx-xx
Ease of Deployment
This document describes best practices for deploying your Cisco Catalyst 3850 Series and Cisco
Catalyst 3650 Series switches.
Note Unless otherwise noted, the term switch refers to a standalone Catalyst 3850 switch, a Catalyst 3650
switch, or a switch stack.
A Cisco switch deployment best practice is a preferred configuration method to employ on your Catalyst
switches. It is a proven and tested way to improve network security, performance, and availability.
A best practice configuration includes an explanation of why you should perform a given task and a
sample snapshot of a full running configuration that you can extrapolate for your specific scenario.
Tip Use the configuration recommendations in this document as a template for your switch deployments.
Note Many Cisco documents are available that define best practices for a variety of features and solutions.
There will be some overlap between the information provided in this guide and other best practices and
deployment guides. When relevant, this document references other existing documents so the reader can
get a deeper understanding of an aspect of the 3850 operation. Otherwise, this document is
self-contained, and provides complete best practice configuration.
Configuration Tool
The configuration examples in this document use the Cisco IOS CLI configuration tool, which is the
most common tool used to configure a switch.
However, you do have the flexibility to use a different tool to perform switch configuration. Other
configuration tools are the Express Setup, Device Manager, and Cisco Prime.
The examples provided in this document show the CLI commands that you should execute on your
switch. You must replace the blue italicized example values with your own values.
Voice VLAN 11
Data VLAN 10
Desktop user
Data VLAN 10
Catalyst 3850 stack in access
Switch management
VLAN 100
Dual redundant switches
Desktop user in distribution layer running
direct connect VSS (Cat6500/6800/4500),
or VPC (Nexus 7000)
Data VLAN 10 Trunk link
Native VLAN 999
All VLANs included
Printer
Wireless access
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
2
Ease of Deployment
Cisco Catalyst Switch Configuration Workflow
Figure 2 shows a branch deployment, where the switch is connected to a router (ISR). Because the switch
operates as a Layer 2 switch, not many differences occur in the configuration between the campus or
branch deployment cases. Differences in the configuration are noted in the best practice procedures.
Desktop user
behind IP phone Data VLAN 10
Catalyst 3850 stack in access
Switch management
VLAN 100
Desktop user
Dual redundant
direct connect
routers running
HSRP
Data VLAN 10 Trunk link
Native VLAN 999
All VLANs included
Printer
391638
Wireless access
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
3
Ease of Deployment
Cisco Catalyst Switch Configuration Workflow
Install a switch
Are switch
Yes stack members No
running the
same image?
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
4
Ease of Deployment
Switch Address Plan
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
5
Ease of Deployment
Switch Address Plan
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
6
Switch Stack Update
This workflow explains how to update all members of a switch stack with the same software image.
Before proceeding with global and advanced configurations on a switch stack, all stack members must
be running the same Cisco IOS XE release to avoid mismatch issues. In addition, any new switch that
needs to join the switch stack must also be running the same Cisco IOS XE release; otherwise, the switch
stack will not converge and the new switch will remain in a standalone state.
Note Updating a Catalyst 3850 or 3650 switch stack is different from updating a Catalyst 3750 switch stack.
Simply changing the boot statement to the desired .bin file is not recommended for Catalyst 3850 and
3650 switch stacks. The update process for Catalyst 3850 and 3650 switch stacks includes a series of
package files, which are extracted from the .bin file and loaded into flash.
Prerequisites
• Obtain a valid Cisco Connection Online (CCO) account with entitled credentials.
• The process to install the new IOS version will use either FTP or TFTP. This requires a FTP or TFTP
server be available to host the 3850 IOS Software, and the server reachable over an IP network.
• Install and configure the TFTP or FTP before you begin.
• Verify that the TFTP block size is set at the maximum value of 8192, as described in the “Increase
the TFTP Block Size” section.
Note In the configuration examples, you must replace the blue italicized example values with your own values.
Note Configuration examples begin in global configuration mode unless noted otherwise.
Voice VLAN 11
Data VLAN 10
Wireless access
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
23
Switch Stack Update
Performing the Stack Update
Note The following tasks are to be performed in a sequence that is listed here.
Step 1 Download the desired .bin file from Cisco.com to the switch flash storage.
Note The purpose of this example is only to show you how the Cisco-suggested release symbol is designated,
and not to give you recommended release versions because those change over time.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
24
Switch Stack Update
Performing the Stack Update
Note To learn the differences for the install and bundle installation modes, see the “Working with the Cisco
IOS File System, Configuration File, and Software Bundle Files” chapter of the Cisco IOS File System,
Configuration Files, and Bundle Files Appendix, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Step 3 If your switch stack is running in bundle mode, use the request platform software package expand
switch file to flash command to convert it to install mode.
no boot system
boot system switch all flash:packages.conf
exit
write memory
reload
Note Since the format of the pacakges.conf file has changed in Cisco IOS XE Release Denali 16.1, overwrite
the old packages.conf with the new packages.conf file. Perform the above step for eachswitch in your
stack. If you have a 3 member stack, it will need to be done on flash:, flash-2:, and flash-3.
Note Make sure the tftp server is reachable. To improve performance, increase the tftp block size to 8192. Use
the ip tftp blocksize bytes command in global configuration mode.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
25
Switch Stack Update
Performing the Stack Update
Step 5 Confirm that the switch stack is now running in install mode.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
26
Switch Stack Update
Performing the Stack Update
We recommend that you use a TFTP block size of 8192 (maximum allowed value) before attempting to
use TFTP or FTP to transfer a file to the switch. Refer to the “Increase the TFTP Block Size” section in
the “Global System Configuration” workflow for details.
Step 7 Make sure that there is connectivity to the TFTP server.
In this example, a TFTP server is used that is accessible through the in-band network.
ping 192.168.254.12
Step 8 After verifying connectivity, make sure that there is enough room in flash on all the switch stack
members.
Step 9 If you determine that files must be purged from flash, run the request platform clean switch command
to erase unneeded files within flash on all the stack members.
We recommend using the request platform clean switch command instead of individually deleting
files. The command provides a list of the files to purge so that you understand what files are deleted when
you confirm deletion.
Note Use switch all option to clean up all switches in your stack.
Note The request platform clean switch command also deletes the .bin file that is used to install the new
Cisco IOS software. After the .bin is extracted, you no longer need it.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
27
Switch Stack Update
Performing the Stack Update
Device# request platform software package clean switch all file flash:
Running command on switch 1
Cleaning up unnecessary package files
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
done.
Running command on switch 2
Cleaning up unnecessary package files
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
done.
The following files will be deleted:
[1]:
/flash/cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin
/flash/cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/packages.conf
/flash/packages.conf.00-
/flash/packages.conf.01-
/flash/packages.conf.02-
[2]:
/flash/cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin
/flash/cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
/flash/packages.conf
/flash/packages.conf.00-
/flash/packages.conf.01-
/flash/packages.conf.02-
Do you want to proceed? [y/n]y
[1]:
Deleting file flash:cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
...
done.
Deleting file
flash:cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
... done.
Deleting file
flash:cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.bin
... done.
Deleting file flash:cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg ...
done.
Deleting file flash:cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450.SSA.pkg
...
done.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
28
Switch Stack Update
Performing the Stack Update
Step 10 Copy the switch image to the TFTP server using the copy tftp://flash command.
The following example shows that the TFTP server (192.168.254.12) requires a user name (admin) and
password (cisco), which can easily be integrated into the copy command:
copy
tftp://admin:cisco@192.168.254.12/IOS/3850/cat3k_caa-universalk9.SSA.16.1.0.
EFT3-1.bin flash:
Step 12 After the reload completes, run the request platform software package clean switch all file flash
command.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
29
Switch Stack Update
Performing the Stack Update
.
request platform software package clean switch all file flash
Device# request platform software package clean switch all file flash:
Running command on switch 1
Cleaning up unnecessary package files
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
done.
Running command on switch 2
Cleaning up unnecessary package files
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
done.
To verify that stack members are using the same software, use the show version command on all
members of the switch stack.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
30
Switch Stack Update
Performing the Stack Update
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
31
Initial Switch Configuration
Note Replace the blue italicized example values with your own values.
Note The configuration examples provided in this document begin in global configuration mode, unless noted
otherwise.
Note The following configurations should be performed in the same sequence in which they are listed here.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
18
Initial Switch Configuration
Assign Initial Management Information
Note Users can now proceed to the Configure Secure HTTPS ans Secure Shell for Secure LAN Management
section.
Configure Secure HTTPS and Secure Shell for Secure LAN Management
Step 2 Disable the HTTP and Telnet unencrypted protocols on the switch.
no ip http server
Step 3 Configure Secure HTTP (HTTPS) and Secure Shell (SSH) to enable secure management of the switch.
Enabling HTTPS automatically generates a cryptographic key to use the service. When SSH is
configured after HTTPS, you do not have to explicitly generate the cryptographic key that SSH requires,
unless you want to change the default key size.
We recommend that you use the transport preferred none command on the VTY lines to prevent
connection attempt errors from the CLI prompt. Without this command, your IP name server may
become unreachable, and long timeout delays may occur..
ip http secure-server
ip ssh version 2
!
line vty 0 15
transport input ssh
transport preferred none
Note If the switch acts as a Web authentication server or as an authentication proxy, then do not disable the
HTTP server by executing the no ip http server command.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
19
Initial Switch Configuration
Assign Initial Management Information
Note Configuring the TACACS+ protocol is optional and recommended only when using TACACS to manage
all of your network devices.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
20
Initial Switch Configuration
Assign Initial Management Information
aaa new-model
tacacs server TACACS-SERVER-1
address ipv4 192.168.254.10
key cisco123
exit
!
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-SERVER-1
exit
!
aaa authentication login default group TACACS-SERVERS local
aaa authorization exec default group TACACS-SERVERS local
ip http authentication local
Step 7 To save your configuration, use the write memory EXEC command in privileged mode.
write memory
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
21
Initial Switch Configuration
Assign Initial Management Information
Out-of-band management is managing the switch and all other networking devices through a physical
network, which is separate from the production network that carries end-user traffic. To manage the
switch with an out-of-band network, the switch uses the GigabitEthernet 0/0 interface. The
GigabitEthernet0/0 interface is physically located on the rear of the switch, next to the blue console port.
The following are the advantages of a GigabitEthernet 0/0 interface:
• The interface is not susceptible to network outages, such as broadcast storms or other potential
issues on the production network because it is separated from the data plane.
• The interface is out-of-band and allows the switch and all other networking devices to always be
manageable so that you can quickly respond whenever there is a network issue.
ip default-gateway 192.168.2.1
• This interface cannot be used as the source interface for sending SNMP traps. Sending traps to an
SNMP trap server requires an IP address on a VLAN interface, see the “Configure a Management
IP Address on an In-Band Interface” section.
Note Use the IP address value that you listed in the print-out (Table 3 ) for the out-of-band management
configuration.
In the following example, the GigabitEthernet 0/0 interface is not on the switch data plane. This interface
(also referred to as the service port) is terminated on the CPU of the switch as opposed to a logical
interface of the forwarding ASIC. The GigabitEthernet 0/0 differs from the Ethernet interfaces on the
front of the switch because it is only a Layer 3 interface (also referred to as a routable interface). The
Ethernet interfaces on the front of the switch default to Layer 2 mode and are used for bridging.
The Ethernet interfaces on the front can be configured to be a routable interface using the no switchport
interface command. The GigabitEthernet 0/0 interface will not function without an IP address assigned
to it.
Mgmt-vrf is built-in; you do not have to create one for out-of-band management.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
22
Initial Switch Configuration
Assign Initial Management Information
Note Do not use VLAN 1 as the management VLAN for security purposes.
The management VLAN is a separate VLAN for managing the switch and all other network devices in
the same subnet. You should assign an in-band IP address to a VLAN interface regardless of whether an
IP address is assigned to the out-of-band interface.
With in-band management, the IP address can be reached through the production network. For
management purposes, the in-band IP address can be used the same way as the out-of-band IP address.
There is no functional difference. However, the in-band IP address has more capabilities because this is
the source IP address for some of the auto-generated traffic that comes from the switch, for instance,
SNMP traps use the in-band IP address.
You can assign an IP address to your VLAN interface before you configure the VLAN on the switch.
The VLAN interface is not operational until the VLAN is created in hardware, and at least one physical
interface, which is a member of the VLAN, is in a forwarding state.
This example shows a VLAN created for management and indicates that the IP address is reachable.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
23
Initial Switch Configuration
Assign Initial Management Information
Note The switch supports IP address assignments to physical Ethernet interfaces that have been configured to
operate in Layer 3 mode.
Step 12 Configure the default gateway, as shown in the following example. This gateway functions as the default
route.
When using a VLAN interface, a default route is not required.
ip default-gateway 192.168.1.1
Note This is an intermediate step required only to make the switch Layer 3 reachable and manageable from
SSH or HTTPS as well as the console or Express Setup. You can skip this step if you continue to use the
console to complete the configuration, but required if you use another tool to complete the configuration
of the switch. The complete best-practice configuration for uplink connectivity is explained in the
“Uplink Interface Connectivity” workflow.
We recommend that you use a dummy VLAN as the native VLAN on trunk interfaces instead of the
default VLAN 1. Because all interfaces are assigned to VLAN 1 by default on the switch, this step limits
the traffic associated with potential user configuration and possible connection errors propagating across
the trunk.
All other VLANs on the uplink interfaces are tagged with IEEE 802.1q which encapsulates the Layer 2
head of the Frame packet.
The following example shows how to configure VLAN IDs in hardware and assign the names. The
upstream interfaces to the switch or router are modified to make them members of the new VLANs. You
must have the same VLAN ID on both ends of the Ethernet link to properly configure the management
VLAN in hardware. A “dummy” VLAN is used as the native VLAN on trunk interfaces. A dummy
VLAN is not used for data or management traffic.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
24
Initial Switch Configuration
Assign Initial Management Information
Note The Shortest Path Tree (SPT) and ping command used in this example require that the upstream layer
device (switch or router) to be configured to operate in a production network, and without any additional
configuration changes being required.
vlan 100
name switch_mgmt
exit
vlan 999
name dummy
exit
!
! The next step assumes the uplink interface is GigabitEthernet 1/1/1, but
! your uplink interface may be different.
!
interface GigabitEthernet 1/1/1
Switchport mode trunk
Switchport trunk native vlan 999
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
25
Initial Switch Configuration
Assign Initial Management Information
! Use “show spanning-tree vlan 100” to confirm VLAN 100 FWD on the uplink
! interface.
! Use “show interface trunk” to confirm GigabitEthernet 1/1/1 is
! operating in Trunk mode correctly.
VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 32868
Address 0022.bdd9.4c00
Cost 4
Port 49 (GigabitEthernet1/1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Note Enter the show running-configuration command to display the initial management information for the
switch.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
26
Initial Switch Configuration
Assign Initial Management Information
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
27
Initial Switch Configuration
Assign Initial Management Information
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
28
Global System Configuration
This workflow describes common global configurations for all switch deployments in the access layer.
Note Replace the blue italicized example values with your own values.
Note Configuration examples begin in global configuration mode, unless noted otherwise.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
32
Global System Configuration
Assign Global Configuration Information
switch 1 priority 15
switch 2 priority 14
Note For additional information about managing switch stacks and configuring high availability features on
the switch, see the Stack Manager and High Availability Configuration Guide, Cisco IOS XE Release.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
33
Global System Configuration
Assign Global Configuration Information
A switch in VTP transparent mode can create, modify, and delete VLANs (the same way as VTP
servers), but the switch does not send dynamic propagation of VLAN information across the network
and does not synchronize its VLAN configuration based on advertisements received. Configuration
changes made when the switch is in this mode are saved in the switch’s running configuration, and can
be saved to the switch’s startup configuration file.
Note The default VTP mode for the switch is VTP server mode. This mode allows you to create, modify, and
delete VLANs and specify other configuration parameters for the entire VTP domain. VTP servers
advertise their VLAN configuration to other switches in the same VTP domain and synchronize their
VLAN configuration with other switches based on advertisements received over trunk links.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
34
Global System Configuration
Assign Global Configuration Information
In aggressive mode, if the link state of a port is determined to be bidirectional and the UDLD information
times out while the link on the port is still in UP state, UDLD tries to re-establish the state of the port.
If this not successful, the port is put into errdisable state. In normal mode, the port state for UDLD is
marked as undetermined, and operates according to its Spanning Tree Protocol state.
Do not change UDLD aggressive timers.
Note UDLD in aggressive mode is not needed when the upstream device is a switch operating in VSS mode.
For more information about VSS-enabled campus design, see the Campus 3.0 Virtual Switching System
Design Guide.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
35
Global System Configuration
Assign Global Configuration Information
Step 8 Configure console messages, logs, and debug output to provide timestamps on output, which allows
cross-referencing of events in a network.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
36
Global System Configuration
Assign Global Configuration Information
This configuration normalizes the method in which traffic is load-shared across the member links of an
EtherChannel. EtherChannels are used extensively in this design because of their resilience.
Note Use VLAN 200 for wireless clients only if the switch operates as a wireless controller in the converged
access mode.
vlan 10
name Data
vlan 11
name Voice
vlan 12
name Access_Points
vlan 200
name Wireless_Client
Note Access interfaces to end devices should not be trusted for router advertisements and IPv6 DHCP
response.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
37
Global System Configuration
Assign Global Configuration Information
This example configuration shows how to create global policies that are applied to the interfaces
described in the “Access Control on the Wired Network” workflow.
!
ipv6 nd raguard policy switch_ipv6_raguard
device-role switch
trusted-port
!
ipv6 dhcp guard policy endhost_ipv6_dhcp_guard
device-role client
!
ipv6 dhcp guard policy uplink_ipv6_dhcp_guard
device-role server
trusted-port
Note The switch stack must be running Cisco IOS XE Release 3.3.1 or higher, or later in install mode.
For detailed information about the Auto Upgrade feature, see the Using the Auto-Upgrade feature on the
Cisco Catalyst 3850 document.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
38
Uplink Interface Connectivity
This workflow describes how to configure the Ethernet interfaces that connect a switch or switch stack
to distribution switches or routers. These interfaces are uplink interfaces. They are different from access
interfaces that connect to non-networking end devices such as IP phones, personal computers, wireless
access points, printers, and IP cameras.
The switch interface configuration recommendations are based on a switch stack deployed in the campus
or branch of the access layer.
When stacking two or more physical switches into one logical switch, we recommend that the uplink
interfaces are configured across the physical members to ensure that an active uplink interface always
available for switch-stack members.
Note Replace the blue italicized example values with your own values.
Note Configuration examples begin in global configuration mode, unless noted otherwise.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
42
Uplink Interface Connectivity
LAN Access Switch Topology with Uplinks to a Distribution Switch or Distribution Router
Voice VLAN 11
Data VLAN 10
Desktop user
Data VLAN 10
Catalyst 3850 stack in access
Switch management
VLAN 100
Dual redundant switches
Desktop user in distribution layer running
direct connect VSS (Cat6500/6800/4500),
or VPC (Nexus 7000)
Data VLAN 10
Trunk link
Native VLAN 999
Printer
All VLANs included
391935
Wireless access
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
43
Uplink Interface Connectivity
LAN Access Switch Topology with Uplinks to a Distribution Switch or Distribution Router
Voice VLAN 11
Data VLAN 10
Desktop user
behind IP phone Data VLAN 10
Catalyst 3850 stack in access
Switch management
VLAN 100
Desktop user
Dual redundant
direct connect
routers running
HSRP
Data VLAN 10
Trunk link
Native VLAN 999
Printer All VLANs included
391936
Wireless access
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
44
Uplink Interface Connectivity
Configure Uplink Interface Connectivity
Note This configuration should be applied to the physical uplink interfaces before adding them to an
EtherChannel.
Step 1 Apply the Trust Differentiated Services Code Point (DSCP) service policy on an interface in the ingress
direction, and then apply the 2P6Q3T policy in order to ensure proper congestion management and
egress bandwidth distribution on the interface in the egress direction.
Ethernet traffic that is received from the upstream switch or router contains trusted QoS markings and
is classified to guarantee a type of service.
Additional service policies should be applied after traffic is transmitted in order to ease congestion. For
more information see, “Configure QoS on an Access Interface” on page 56
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
45
Uplink Interface Connectivity
Configure Uplink Interface Connectivity
Note Use this switch-stack uplink interface configuration only when connecting the switch stack to a VSS or
VPC distribution switch pair, and not when the distribution switch pair is configured as two standalone
switches.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
46
Uplink Interface Connectivity
Configure Uplink Interface Connectivity
Note Use this configuration when connecting the switch stack to two standalone distribution switches (not
configured as a VSS or VPC pair). However, do not use the spanning-tree portfast trunk command for
switch configuration.
• Ensure that the distribution VSS or VPC router side of the connections are configured the same and
that the EtherChannel is configured with the LACP active mode.
• For additional resilience, the configured uplink interfaces should be located on different switches in
the switch stack.
• Use the spanning-tree portfast trunk command to allow the switch side of the uplink to
immediately transition to a spanning-tree forwarding state when the link becomes available, because
routers do not participate in a spanning tree.
Figure 7 shows a switch stack having a separate EtherChannel to each distribution router. Each
EtherChannel is configured as a trunk with VLANs 10, 11, 12, 100, 200, and 999, with the native VLAN
set to 999.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
47
Uplink Interface Connectivity
Configure Uplink Interface Connectivity
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
48
Uplink Interface Connectivity
Configure Uplink Interface Connectivity
interface Port-channel 1
ip arp inspection trust
ip snooping trust
ipv6 nd raguard attach-policy switch_ipv6_raguard
ipv6 guard attach-policy uplink_ipv6__guard
In the following example, security is applied to the uplink interfaces connecting to routers:
interface Port-channel 1
ip arp inspection trust
ip snooping trust
ipv6 nd raguard attach-policy router_ipv6_raguard
ipv6 guard attach-policy uplink_ipv6__guard
exit
!
interface Port-channel 2
ip arp inspection trust
ip snooping trust
ipv6 nd raguard attach-policy router_ipv6_raguard
ipv6 guard attach-policy uplink_ipv6__guard
Note Complete this configuration on the distribution switches and not on the switch. The recommendations
listed below are not applicable when routers are used at the distribution layer.
Step 3 On uplink interfaces to distribution switches (Figure 6), ensure that the spanning-tree root for the
switch-stack VLANs is configured on the distribution switch pair.
Follow the below recommendations when the standalone distribution switches are used instead of a VSS
or VPC system:
• Make sure that the spanning-tree roots for the VLANs are distributed evenly between two standalone
distribution switches. For example, configure one switch as the spanning-tree root for all the even
VLANs, and configure the other switch as the spanning-tree root for all the odd VLANs. This
distribution configuration ensures that the spanning tree does not block all the VLANs on a single
uplink interface, and results in an even traffic flow on the uplink interfaces.
• If Hot Standby Router Protocol (HSRP) or Virtual Router Redundancy Protocol (VRRP) is
configured for the VLANs located on the standalone distribution switches, make sure that the VLAN
configuration on the active switch is the same on the switch that is the spanning-tree root for that
VLAN.
• Avoid flooding of traffic caused by asymmetric routing of traffic flows, by configuring the arp
timeout interface configuration command. This command adjusts the ARP aging timer to less than
the MAC address table aging timer on the Layer 3 VLAN interfaces of the distribution switches. By
default, the MAC address table aging timer is set to 5 minutes (300 seconds) on the switch.
For more information about spanning tree root configuration on the VSS, see the “Spanning Tree
Configuration Best Practice with VSS” section of the VSS Enabled Campus Design Guide.
For more information about spanning-tree root on distribution switches, see the “Spanning VLANs
across Access Layer Switches” section of the Campus Network for High Availability Design Guide.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
49
Uplink Interface Connectivity
Display Uplink Interface Connectivity for the Switch
For more information about spanning-tree root configuration and asymmetric routing, see the “Spanning
VLANs Across Access Layer Switches” and “Asymmetric Routing and Unicast Flooding” sections of
the Campus Network for High Availability Design Guide.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
50
Uplink Interface Connectivity
Display Uplink Interface Connectivity for the Switch
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
51
Uplink Interface Connectivity
Display Uplink Interface Connectivity for the Switch
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
52
Access Interface Connectivity
This workflow describes how to configure the Ethernet interfaces that connect to the end devices of a
switch. End devices are the non-networking devices that connect to the network, such as IP phones,
personal computers, wireless access points, printers, and IP cameras. The Ethernet interfaces that
connect to end devices are referred to as access interfaces. They differ from uplink interfaces that link
to other networking devices.
The workflow for configuring access interfaces is based on a switch deployed at the access layer in a
campus or branch network (Figure 8). The switch interfaces connected to end devices are the edge of the
network, which network security and QoS begins.
Note Replace the blue italicized example values with your own values.
Note Configuration examples begin in global configuration mode, unless noted otherwise.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
52
Access Interface Connectivity
LAN Access Switch Topology with Connections to End Devices
01 NALV ataD
retnirP
resu potkseD
tcennoc tcerid
986193
resu potkseD
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
53
Access Interface Connectivity
Configure Access Interface Connectivity
IP Device Tracking
Caution The IP Device Tracking (IPDT) feature could have some negative side effects that may impact the normal
day-to-day operation of your switch.
Note Symptoms as a result of IPDT issues are seen on the end device. For instance on Windows PC, an error
message report for a duplicate IP Address 0.0.0.0 appears.
IPDT is enabled globally, but it cannot be globally disabled. To disable IPDT, you must disable it at the
interface level.
Note To disable IPDT on a port channel, you must first unbundle the physical Ethernet interfaces from the port
channel.
We recommend that you disable IPDT on all access interfaces except under these situations where a
feature explicitly has IPDT enabled:
• IPDT is required for Centralized Web Authentication with Identity Services Engine (ISE).
• Network Mobility Services communicates with the Mobility Services Engine to track location.
• Device Sensor watches the control packets that ingress from the attached end device and determine
what type of device is attached. Device Sensor uses multiple sources (such as IPDT) to determine
the device type. Device Sensor is critical to other features, such as Auto Smart Ports, and AutoConf.
• Auto Smart Ports and AutoConf are indirectly affected, because they are clients of Device Sensor.
The Device Sensor feature uses IPDT to aid in detection of attached device types.
• Address Resolution Protocol (ARP) snooping will be impacted if IPDT is disabled.
interface GigabitEthernet1/0/1|
nmsp attach suppress
Alternately, you can use the following method:
interface GigabitEthernet1/0/1|
ip device tracking maximum 0
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
54
Access Interface Connectivity
Configure Access Interface Connectivity
• Configure the access interface for static access mode, which is single VLAN mode with no
negotiation.
• Configure the interface for Spanning Tree PortFast (STPF), which shortens the time it takes for the
interface to go into forwarding mode. We recommend STPF on interfaces that do not connect to
other bridging devices (Ethernet switches).
The default Administrative mode for Ethernet interfaces on a switch is dynamic auto. Dynamic mode
means the interface will negotiate to trunk mode if the networking device on the side of the link initiates
the negotiation to trunk (administrative mode “dynamic desirable”).
Tip When you create an interface description, you can quickly scan a long list of interfaces to learn how they
are used in your network.
description IP Phone
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
55
Access Interface Connectivity
Configure Access Interface Connectivity
Note MAC addresses that are remembered on interfaces with port security do not appear in the dynamic MAC
address table; they appear in the static MAC address table.
Step 5 Configure IP ARP inspection and (DHCP, IGMP, and so on) snooping to 100 p/s on the interface.
(Incoming ARP packets exceeding 100 p/s is not typical and is considered malicious. Those packets are
dropped and a syslog message is raised).
ip verify source
Step 7 Enable storm control on broadcast and multicast packets on the interface to protect the network from a
flood of broadcast or multicast packets.
When the configured levels are exceeded, the switch sends an SNMP trap. The interfaces are not put into
a disabled state.
Unicast packets are blocked on egress and not ingress traffic. The switch drops unknown unicast packets
from being egressed to the end device, ensuring that only the packets intended for the end device are
forwarded.
Step 8 Configure IPv6 security on the interface to secure the end devices from malicious or unexpected
operation by preventing them from transmitting IPv6 router advertisements, and IPv6 responses.
The applied policies are defined in the “Global System Configuration” workflow.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
56
Access Interface Connectivity
Configure Access Interface Connectivity
Quality of Service (QoS) provides preferential treatment to certain types of traffic at the expense of
others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet
contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Aut0 QoS on the switch generates multiple service policies for various end devices. The service policy
that is generated depends with the end device type.
Step 9 Apply service policies to a single access interface.
The switch then automatically generates the modular QoS command-line interface (MQC) service
policies needed for access.
This example identifies some of the service policy configurations.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
57
Access Interface Connectivity
Configure Access Interface Connectivity
Use the show storm-control command to confirm that the interfaces are configured for storm control.
show storm-control
Key: U - Unicast, B - Broadcast, M - Multicast
Interface Filter State Upper Lower Current Action
Type
--------- ------------- ----------- ----------- ---------- ---------
----
Gi1/0/1 Link Down 1k pps 1k pps 0 pps Trap B
Use the show ip snooping command to confirm that the interfaces are configured for snooping.
show ip snooping
Switch snooping is enabled
Switch gleaning is disabled
snooping is configured on following VLANs:
10-13,100
snooping is operational on following VLANs:
10-13,100
snooping is configured on the following L3 Interfaces:
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
58
Access Interface Connectivity
Configure Access Interface Connectivity
Use the show ip verify source command to confirm that the IP source guard is configured and working.
Use the show port-security command to confirm that access interfaces are configured for port security.
show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi1/0/1 11 1 0 Restrict
Gi1/0/2 11 1 0 Restrict
Gi1/0/3 11 1 0 Restrict
Gi1/0/4 11 1 0 Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
Use the show ip arp inspection interfaces command to confirm the rate and untrusted state of access
interfaces.
Use the show ipv6 nd raguard policy command to confirm that access interfaces are configured for
Router Advertisement Guard with specific policies.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
59
Access Interface Connectivity
Display Running Configuration for Access Interface Connectivity
Use the show ipv6 guard policy command to confirm the guard on access interfaces.
Use the show policy-map interface command to confirm the input and output service policies applied
to access interfaces.
Tip To use the same interface configuration for multiple interfaces on the switch, use the interface range
command. This command allows you to issue a command once and have it apply to many interfaces.
Because most of the interfaces in the access layer are configured identically, using this command can
save a lot of time. For example, the following command allows you to enter commands simultaneously
on all 48 interfaces (GigabitEthernet 1/0/1 to GigabitEthernet 1/0/48).
Note Apply the interface range command to every switch stack member. This range command will work for
all interfaces on a single switch member. Enter the range command for each member.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
60
Access Interface Connectivity
Display Running Configuration for Access Interface Connectivity
show running-configuration
.
.
.
Description IP Phone
switchport host
switchport access vlan 10
switchport voice vlan 11
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation restrict
ip arp inspection limit rate 100
ip snooping limit rate 100
ip verify source
switchport block unicast
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
ipv6 nd raguard attach-policy endhost_ipv6_raguard
ipv6 guard attach-policy endhost_ipv6__guard
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output 2P6Q3T
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
61
Access Interface Connectivity
Display Running Configuration for Access Interface Connectivity
show running-configuration
.
.
.
Description Personal Computer
switchport host
switchport access vlan 10
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation restrict
ip arp inspection limit rate 100
ip snooping limit rate 100
ip verify source
switchport block unicast
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
ipv6 nd raguard attach-policy endhost_ipv6_raguard
ipv6 guard attach-policy endhost_ipv6__guard
auto qos trust dscp
service-policy input AutoQos-4.0-Classify-Input-Policy
service-policy output 2P6Q3T
show running-configuration
.
.
.
Description Lightweight Access Point
switchport host
switchport access vlan 12
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation restrict
ip snooping limit rate 100
switchport block unicast
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
62
Access Interface Connectivity
Display Running Configuration for Access Interface Connectivity
show running-configuration
.
.
.
Description Printer
switchport host
switchport access vlan 10
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation restrict
ip arp inspection limit rate 100
ip snooping limit rate 100
ip verify source
switchport block unicast
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
ipv6 nd raguard attach-policy endhost_ipv6_raguard
ipv6 guard attach-policy endhost_ipv6__guard
auto qos classify police
service-policy input AutoQos-4.0-Classify-Police-Input-Policy
service-policy output 2P6Q3T
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
63
Access Interface Connectivity
Display Running Configuration for Access Interface Connectivity
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
64
Access Control on the Wired Network
This workflow describes a phased approach to deploy IEEE 802.1x port-based authentication to provide
secure and identity-based access control at the edge of the switch stack network.
We recommend that you identify certain switch configuration values in advance so that you can proceed
without interruption. We recommend that you take a print out of Table 7, and, as you follow the
configuration sequence, replace the values in column B with your values in column C.
Note Depending on your authentication server settings, the authentication and accounting ports could be
assigned the values 1812 and 1813 respectively.
Note Replace the blue italicized example values with your own values.
Note Configuration examples begin in global configuration mode, unless noted otherwise.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
66
Access Control on the Wired Network
LAN Access Switch Topology with IEEE 802.1x Secure Access Control
Authentication
Server
Data VLAN 10
Printer
Data VLAN 10
Voice VLAN 11
Data VLAN 10
Desktop user
direct connect
391703
Desktop user
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
67
Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
To provide secure access to your wired switch network, we recommend that you first provision your
common wired security features. Provision security modes in phased deployments (monitor mode to
high-security mode) of IEEE 802.1x authentication along with MAC Authentication Bypass (MAB),
which uses the MAC address of the end device (or supplicant) to make decisions about access.
Note Each phased deployment should occur over time after ensuring that your network is ready to transition
to the next security mode.
Table 8 describes the recommended IEEE 802.1x deployment scenarios that will have limited impact on
network access. Test your network infrastructure while in monitor mode. If you are satisfied, then
transition to low-impact mode and allow a subset of network traffic to pass through. Finally, transition
to high-security mode, requiring authorization from all end devices.
Reference
For detailed information about wired mode deployments, see the TrustSec Phased Deployment
Configuration Guide.
For basic information about IEEE 802.1x protocols, see the “8021X Protocols” section of the Wired
802.1X Deployment Guide.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
68
Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
• Multi-authentication mode authenticates all the devices that gain access to the network through a
single switch port, such as devices connected through IP phones.
• Multi-authentication mode is more secure than multi-host mode (which also allows multiple data
devices) because it authenticates all the devices that try to gain access to the network.
Step 1 Run the show run command on your switch to ensure that your access interface connections are set up.
This output is what you inherit after performing the “Access Interface Connectivity” workflow
configuration for an interface connected to an IP phone.
Step 2 (Optional) If you observe excessive timeouts, fine-tune the IEEE 802.1x timers and variables. Timers
and variables are important for controlling the IEEE 802.1x authenticator process on the switch.
We recommend that you do not change the IEEE 802.1x timer and variable default settings, unless
necessary.
Begin in interface configuration mode:
dot1x timeout tx
-period 30
dot1x max-reauth-req 2
authentication timer restart 60
dot1x timeout quiet-period 60
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
69
Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
Reference
For detailed information about the IEEE 802.1x timers and variables, see the Wired 802.1x Deployment
Guide.
Step 4 Enable MAC authentication bypass (MAB) from interface configuration mode to authenticate
supplicants that do not support IEEE 802.1x authentication.
When MAB is enabled, the switch uses the MAC address of the device as its identity. The authentication
has a database of MAC addresses that are allowed network access.
We recommend that you enable MAB to support non-802.1x-compliant devices. MAB also is an
alternate authentication method when end devices fail IEEE 802.1x authentication due to restricted ACL
access.
Begin in interface configuration mode.
mab
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
70
Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
Step 7 To establish the radius server, configure the RADIUS server with IP address, UDP port for authentication
and accounting server, and server encryption key.
Step 9 Disable the Port Security feature, because when IEEE 802.1x is enabled, the Port Security feature
becomes redundant and might interfere with the IEEE 802.1x functionality.
Begin in interface configuration mode.
no switchport port-security
no switchport port-security violation
no switchport port-security aging type
no switchport port-security aging time
no switchport port-security maximum
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
71
Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
Note For information about configuration of multiple-authentication mode on IEEE 802.1x ports, see
“Provision Common Wired Security Access”.
Minimize the impact to your initial network access settings and add differentiated network access to
authenticated users with low-impact mode provisioning. In low-impact mode, authentication is open and
network access is contained using less restrictive port ACLs. After authentication, dACLs are used to
allow full network access to end devices.
Step 10 configure multi-domain mode to prevent unauthorized users from accessing an interface after an
authorized user has been authenticated.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
72
Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
Step 14 Assign critical VLAN assignments for situations where the authentication server is unavailable.
The following command is used to configure a port to send both new and existing hosts to the critical
VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication
(multiauth) mode or if the voice domain of the port is in MDA mode.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
73
Access Control on the Wired Network
Show Running Configuration for Provisioning Modes
show running-configuration
hostname 3850-access-Bld1Flr1
!
!
aaa new-model
!
aaa authentication dot1x default group radius
!
ip device tracking
!
!
dot1x system-auth-control
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
switchport block unicast
switchport voice vlan 11
ip arp inspection limit rate 100
trust device cisco-phone
authentication host-mode multi-auth
authentication open
authentication port-control auto
mab
dot1x pae authenticator
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
Ipv6 nd raguard attach-policy endhost_ipv6_raguard
Ipv6 guard attach-policy endhost_ipv6__guard
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip verify source
ip snooping limit rate 100
!
!
radius server AuthServer
address ipv4 192.168.254.14 auth-port 1645 acct-port 1646
key cisco123
!
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
74
Access Control on the Wired Network
Show Running Configuration for Provisioning Modes
show running-configuration
hostname 3850-access-Bld1Flr1
!
!
aaa new-model
!
aaa authentication dot1x default group radius
!
ip device tracking
!
!
dot1x system-auth-control
!
!
aaa session-id common
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
switchport block unicast
switchport voice vlan 11
ip arp inspection limit rate 100
trust device cisco-phone
ip access-group LowImpactSecurity-acl in
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication port-control auto
mab
dot1x pae authenticator
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
Ipv6 nd raguard attach-policy endhost_ipv6_raguard
Ipv6 guard attach-policy endhost_ipv6__guard
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip verify source
ip snooping limit rate 100
!
!
ip access-group LowImpactSecurity-acl in
permit tcp any any established
permit udp any any eq bootps
permit udp any any eq tftp
permit udp any any eq domain
!
radius server AuthServer
address ipv4 192.168.254.14 auth-port 1645 acct-port 1646
key cisco123
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
75
Access Control on the Wired Network
Monitoring IEEE 802.1x Status and Statistics
show running-configuration
hostname 3850-access-Bld1Flr1
!
!
aaa new-model
!
aaa authentication dot1x default group radius
!
ip device tracking
!
!
dot1x system-auth-control
!
!
aaa session-id common
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
switchport block unicast
switchport voice vlan 11
ip arp inspection limit rate 100
trust device cisco-phone
authentication event server dead action authorize vlan 20
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication port-control auto
mab
dot1x pae authenticator
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
Ipv6 nd raguard attach-policy endhost_ipv6_raguard
Ipv6 guard attach-policy endhost_ipv6__guard
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip verify source
ip snooping limit rate 100
!
!
radius server AuthServer
address ipv4 192.168.254.14 auth-port 1645 acct-port 1646
key cisco123
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
76
Access Control on the Wired Network
Monitoring IEEE 802.1x Status and Statistics
To detect errors, filter the dot1x verbose messages that are enabled by default.
Step 2 Use the show dot1x interface statistics command to display IEEE 802.1x statistics for a specific port.
Step 3 Use the show dot1x all command to display the IEEE 802.1x administrative and operational status for
a switch.
.
show dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 3
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
77
Access Control on the Wired Network
Monitoring IEEE 802.1x Status and Statistics
Step 4 Use the show dot1x interface command to display the IEEE 802.1x administrative and operational
status for a specific port.
.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
78
Converged Wired and Wireless Access
This workflow explains how to enable the converged access functionality of the switch, and explains how
the switch can operate as the wireless mobility controller (MC) as well as the wireless mobility anchor
(MA) in a small branch deployment.
Wired and wireless features that are enabled in the same platform is referred to as converged access. The
wired plus wireless features are bundled into a single Cisco IOS Software image, which reduces the
number of software images that users have to qualify and certify before enabling them in their network.
Converged access improves wireless bandwidth across the network and the scale of wireless deployment.
For example, a 48-port Catalyst 3850 switch provides 40 Gbps of wireless throughput. This wireless
capacity increases with the number of members in the stack. This ensures that the network will scale
with current wireless bandwidth requirements, as dictated by IEEE 802.11n-based access points and
with future wireless standards such as IEEE 802.11ac.
Prerequisites
Complete the following tasks before proceeding with wireless configuration:
• Switch stack must function in Stateful Switchover (SSO) mode.
• Interface configuration is completed, as explained in the “Access Interface Connectivity” workflow.
• Lightweight access points are used.
• NTP configuration should be present and operational, as explained in the “Global System
Configuration” workflow.
• A wireless site survey should be completed. The site survey identifies the proper placement of
wireless access points for the best coverage. For detailed information about the site survey process
and the tool to use, see the Wireless Site Survey FAQ.
• Complete the QoS workflow.
Restrictions
• AP-count licenses are supported only on IP Base and IP Services licenses. See the Cisco Catalyst
3850 Switch Right-to-Use Licensing Model.
Note This workflow contains two separate IP subnets that contain VLANs used for access points and wireless
clients. The access points are on VLAN 12, and use IP subnet 192.168.12.x. The wireless clients are on
VLAN 200, and use IP subnet 192.168.13.x.
Note In the configuration examples, you must replace the blue italicized example values with your own values.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
82
Converged Wired and Wireless Access
LAN Access Switch Topology with Wireless Connectivity
Note Configuration examples begin in global configuration mode, unless noted otherwise.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
83
Converged Wired and Wireless Access
Enable the Switch as a Wireless Controller
Voice VLAN 11
Data VLAN 10
Desktop user
behind IP phone Data VLAN 10
Catalyst 3850 stack in access DHCP Server ISE
Switch management
VLAN 100
Desktop user
Dual redundant
direct connect
routers running
HSRP
Data VLAN 10 Trunk link
Native VLAN 999
All VLANs included
Printer
391701
Wireless access
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
84
Converged Wired and Wireless Access
Enable the Switch as a Wireless Controller
• If more access points are connected that exceed the total number of accepted AP-count licenses, a
syslog warning message is sent without disconnecting the newly connected access points until a
stack reload.
• After a stack reload, the newly connected access points are removed from the total access point
count.
You can activate permanent RTU licenses after you accept the EULA. The EULA assumes you have
purchased the permanent license. Use AP-count adder type licenses to activate access point licenses. The
adder AP-Count license is an “add as you grow” license. You can add access point licenses as your
network grows. You activate an adder AP-count license by using EXEC commands, and it is activated
without a switch reload.
Step 1 Activate a permanent access point license and accept the EULA.
Access point licenses are configured for permanent or for evaluation purposes. To prevent disruptions in
operation, the switch does not change licenses when an evaluation license expires. You get a warning
that your evaluation license will expire and you must disable the evaluation license and purchase a
permanent one.
We recommend that you purchase and activate a permanent license and accept the EULA to avoid an
untimely expiration.
The following examples activate 10 access point licenses on member 1 and 15 on member 2.
For more information about RTU licenses, see the “Configuring Right-To-Use Licenses” chapter in the
System Management Configuration Guide, Cisco IOS SE Release 3E.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
85
Converged Wired and Wireless Access
Enable the Switch as a Wireless Controller
--------------------------------------------
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
86
Converged Wired and Wireless Access
Enable the Switch as a Wireless Controller
ip pool APVlan10-Pool
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
ip excluded-address 192.168.12.1 192.168.12.2
Step 8 After the switch reboots, verify that the role of the switch has changed to Mobility Controller.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
87
Converged Wired and Wireless Access
Enable the Switch as a Wireless Controller
Note The access VLAN on the switch port should be the same as the wireless management VLAN configured
in Step 4 in this workflow.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
88
Converged Wired and Wireless Access
Enable the Switch as a Wireless Controller
interface GigabitEthernet1/0/3
description Lightweight Access Point
switchport host
switchport access vlan 12
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation restrict
ip snooping limit rate 100
switchport block unicast
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
89
Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
Note If your network does not permit open access for any wireless device, proceed to the “Provision in Secure
Mode” section and provision your wireless network in secure mode.
Note Guest Access network deployment is beyond the scope of this document. For detailed information, see
the “Configuring Wireless Guest Access” chapter in the Security Configuration Guide, Cisco IOS XE
Release 3E, (Catalyst 3850 Switches).
Provision in Easy-RADIUS
Easy-RADIUS allows access to the network without authentication and is not secure.
• Disable Authentication to Enable Easy-RADIUS
• Configure QoS to Secure the WLAN
• Verify Client Connectivity in RADIUS
Note If your network does not permit open access for any wireless device, proceed to the “Provision in Secure
Mode” section and provision your wireless network in secure mode.
Step 1 To provision in easy-RADIUS, use the no security EXEC commands to disable authentication for a
WLAN.
By default, the WLAN is enabled for security with Wi-Fi Protected Access (WPA) and Wi-Fi Protected
Access II (WPA2). To make the WLAN open, use the no security wpa wpa2 command.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
90
Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
Note By default, the broadcast SSID is enabled, and the WLAN/SSID information is sent in the beacons. The
no broadcast-ssid command can be used to hide the SSID from being broadcast or made visible to end
clients. When the SSID broadcast is disabled, the end-users will still be able to connect to the SSID by
explicitly entering the SSID information manually in the wireless client network properties.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
91
Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
92
Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
!
!Look for client open auth state.
Server Policies:
Vlan Group: Name: 340, Vlan: 340
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
93
Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
aaa new-model
aaa session-id common
aaa authentication dot1x default group RADIUS
aaa authorization network default group RADIUS
aaa accounting dot1x default start-stop group RADIUS
!
! Enable 802.1X authentication globally on the switch
!
dot1x system-auth-control
! Radius Server definition (adds ISE to the Radius Group)
!
RADIUS server AuthServer
address ipv4 192.168.254.14 auth-port 1645 acct-port 1646
key cisco123
!
!
aaa group server RADIUS RADIUS-GROUP
server name AuthServer
Note WPA2 with AES encryption and IEEE 802.1x key management are enabled by default on the WLAN for
the switch so you do not need to explicitly configure these security settings.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
94
Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
DHCP Snooping
Step 4 DHCP snooping configuration is required on the controller for proper client join functionality.
DHCP snooping needs to be enabled on each client VLAN including the override VLAN if override
is applied on the WLAN.
ip dhcp snooping
ip dhcp snooping vlan 100
Enable bootp-broadcast command. It is needed for clients that send the DHCP messages with broadcast
addresses and broadcast bit is set in the DHCP message.
ip dhcp snooping wireless bootp-broadcast enable
On the interface:
Note If upstream is via a port channel, the trust Config should be on the port channel interface as well.
interface TenGigabitEthernet1/0/1
switchport trunk allowed vlan 100
switchport mode trunk
ip dhcp snooping trust
Note DHCP snooping should be configured on the Guest Anchor controller for guest access similar to the
Config above.
To allow ingress and egress traffic on the network, the -required option in the WLAN settings forces
clients to perform an address request and renew operation each time an association is made with the
WLAN. This option allows strict control of used IP addresses.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
95
Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
Step 1 Disable the 5-Ghz and 2.4-Ghz networks to successfully modify wireless spectrum rates.
In a well-designed wireless network with good radio frequency coverage, lower data rates can be
disabled. Low data rates consume the most airtime.
Limiting the number of supported data rates allows clients to down-shift faster when retransmitting.
Wireless clients try to send at the fastest data rate. If the transmitted frame is unsuccessful, the wireless
client will retransmit at the next lowest available data rate. The removal of some supported data rates
means that clients that need to retransmit a frame directly down-shift several data rates, which increases
the chance for the frame to go through at the second attempt. IEEE 802.11b-only devices no longer need
to be accommodated. Disable speeds used by IEEE 802.11b-only devices.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
96
Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
Note Beacons are sent at the lowest mandatory rate that define the cell size.
When deploying the switch in converged access mode as a hotspot, the lowest data rate should be enabled
to increase coverage gain versus speed. In addition, the recommended data rates are to be used in a
wireless network with good radio frequency coverage. Data rates are contingent upon the nature of your
radio frequency deployment.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
97
Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
98
Converged Wired and Wireless Access
Show Running Configuration for Wireless LAN Converged Access
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
99
Converged Wired and Wireless Access
Show Running Configuration for Wireless LAN Converged Access
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
100
Converged Wired and Wireless Access
Show Running Configuration for Wireless LAN Converged Access
(Continued)
! Radio Resource management features
ap dot11 24ghz shutdown
ap dot11 24ghz cleanair
ap dot11 24ghz rate RATE_1M disable
ap dot11 24ghz rate RATE_2M disable
ap dot11 24ghz rate RATE_5_5M disable
ap dot11 24ghz rate RATE_6M disable
ap dot11 24ghz rate RATE_9M disable
ap dot11 24ghz rate RATE_11M disable
ap dot11 24ghz rate RATE_12M supported
ap dot11 24ghz rate RATE_18M supported
ap dot11 24ghz rate RATE_24M mandatory
ap dot11 24ghz rate RATE_36M supported
ap dot11 24ghz rate RATE_48M supported
ap dot11 24ghz rate RATE_54M supported
no ap dot11 24ghz shutdown
!
ap dot11 5ghz shutdown
ap dot11 5ghz rrm channel dca chan-width 80
ap dot11 5ghz cleanair
ap dot11 5ghz rate RATE_6M disable
ap dot11 5ghz rate RATE_9M disable
ap dot11 5ghz rate RATE_12M disable
ap dot11 5ghz rate RATE_18M disable
ap dot11 5ghz rate RATE_24M mandatory
ap dot11 5ghz rate RATE_36M supported
ap dot11 5ghz rate RATE_48M supported
ap dot11 5ghz rate RATE_54M supported
no ap dot11 5ghz shutdown
ap group default-group
end
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
101
Converged Wired and Wireless Access
Show Running Configuration for Wireless LAN Converged Access
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
102
System Health Monitoring
Monitoring critical system resources is very important to maintain stability of the network. We
recommend that you monitor the switch CPU, memory, file systems, and environmental resources on a
regular basis.
This workflow discusses the commonly used commands and procedures to monitor and maintain system
health.
Step 1 Use the show version command to retrieve the overall switch status.
If you are only interested in the switch uptime and last reload, you can run a more direct command using
the pipe “|” feature built into Cisco IOS XE (and Cisco IOS) software.
This example shows that Cisco IOS XE release 3.3.2 SE was running for five weeks before a privileged
user initiated a switch reload.
Note The switch is a multicore platform that is different from its predecessors. A single core can experience
high CPU, so it is important to monitor each core when running these commands.
This output shows the five-second, one-minute, and five-minute periods on each CPU core. It also
shows the Forwarding Engine Driver (FED), IOS daemon IOSd, and Wireless Controller Module
(WCM) processes have the highest CPU utilization.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
104
System Health Monitoring
Run a System Baseline for Core Resources
Step 3 Use the history command to display a graph of sustained CPU utilization.
This graph helps to formulate patterns. For example, if you observe a spike to 100 percent every 30
minutes, you can conclude that something might be polling the switch on a regular schedule. Examine
your SNMP configuration to help determine the cause.
1111122222222222222222222
111111111111111111111111111111222225555588888888886666666666
100
90
80
70
60
50
40
30 ********************
20 *************************
10 *************************
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)
Reference:
For detailed information to help troubleshoot your high CPU usage concerns, see the Catalyst 3850
Series Switch High CPU Usage Troubleshooting document.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
105
System Health Monitoring
Run a System Baseline for Core Resources
Note An (*) asterisk indicates the default file system. If the file system has a dash (-) or a zero (0) for the
Size(b) field, that indicates that the file system is not present or not recognized.
Step 6 Use the dir filesystem or the show filesystem command to list the files under a specific files system.
When you find crash files, it is important to immediately retrieve them to diagnose a system failure or
unexpected crash.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
106
System Health Monitoring
Run a System Baseline for Environmental Resources
This example shows that crash files were created in the directory.
dir crashinfo
Directory of crashinfo:/
Step 8 If your switches are in a stack, run the show environment stack command to view all of the
environmental outputs stack wide.
Although some of settings are adjustable, we recommend leaving the settings with their default values.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
107
System Health Monitoring
Other System Monitoring Considerations
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
108
System Health Monitoring
Other System Monitoring Considerations
Step 10 Use the show spanning-tree detail command to frequently check STP stability.
This command displays network stability information about the number of topology changes within each
VLAN, the last time a TCN was received, and so forth. Frequently monitoring this information is critical
to maintaining overall health of the switch and network.
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
109
System Health Monitoring
Other System Monitoring Considerations
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
110
INDEX
A I
B
L
Bridge Protocol Data Unit (BPDU) 132
bundle mode 124 LACP (Link Aggregation Control Protocol) 144
low impact mode 172
C
M
crashinfo folder 1106
MAC Authentication Bypass (MAB) 168
management IP address 114
D
monitor mode 171
DHCP server 187
DHCP snooping 134
N
Dynamic Channel Assignment (DCA) 198
NTP server 134
E
O
Easy-open mode 190
End-User-License Agreement (EULA) 184 out-of-band management 112
EtherChannels 135, 144
evaluation license 184
P
password 110
H
provision in phased deployments 168
high impact mode 173
HSRP (Hot Standby Router Protocol) 149
HTTP (HTTPS) 19
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
111
Index
R V
S W
TACACS+ 110
TFTP and FTP server 125
TFTP block size 121, 136
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
112